Vulnerability DatabaseCVE-2026-33151
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2026-33151
March 20, 2026
Socket.IO is an open source, real-time, bidirectional, event-based, communication framework. Prior to versions 3.3.5, 3.4.4, and 4.2.6, a specially crafted Socket.IO packet can make the server wait for a large number of binary attachments and buffer them, which can be exploited to make the server run out of memory. This issue has been patched in versions 3.3.5, 3.4.4, and 4.2.6.
Affected Packages
socket.io-parser (NPM):
Affected version(s) >=1.0.1 <3.3.5
Fix Suggestion:
Update to version 3.3.5
socket.io-parser (NPM):
Affected version(s) >=4.0.0 <4.2.6
Fix Suggestion:
Update to version 4.2.6
socket.io-parser (NPM):
Affected version(s) >=3.4.0 <3.4.4
Fix Suggestion:
Update to version 3.4.4
Related Resources (6)
https://nvd.nist.gov/vuln/detail/CVE-2026-33151
https://github.com/socketio/socket.io/commit/719f9ebab0772ffb882bd614b387e585c1aa75d4
https://github.com/socketio/socket.io/commit/9d39f1f080510f036782f2177fac701cc041faaf
https://github.com/socketio/socket.io/security/advisories/GHSA-677m-j7p3-52f9
https://github.com/socketio/socket.io/commit/b25738c416c4e32fbff62ee182afa8f6d0dacf78
https://github.com/socketio/socket.io
Do you need more information?
Contact Us
CVSS v4
Base Score:
8.7
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
NONE
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
7.5
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
NONE
Integrity
NONE
Availability
HIGH
Weakness Type (CWE)
Improper Check for Unusual or Exceptional Conditions
CWE-754
Improper Input Validation
CWE-20